If you’re an iPhone user you may be interested in an item of news that sprang up at the weekend regarding an SMS spoof security problem. It seems this has been an issue with every iPhone firmware revision but is also in the beta 4 version of iOS 6, due for public release shortly. The issue means that using iMessage is a safer option than SMS and although we haven’t seen any widespread exploitation of this flaw it is something that iOS users should be aware of.
A famous and well-respected jailbreaker developer and security researcher pod2g raised this issue in a recent blog and is urging that Apple finds a solution before iOS 6 is released. Basically the flaw can be used so that an outward-bound SMS can be directed to a spoof reply address. This makes iPhone users susceptible to phishing attacks or other malicious behavior and has arisen because Apple uses the reply-to address from User Header Data as the source of origin instead of the raw source.
In the pod2g blog linked to above you can see the technical details of how this works but in basic terms it could be used so that a message appears to have come from your bank for phishing purposes, used for malicious purposes from somebody trying to cause trouble for you, or a spoofed message sent to you could even be used as false evidence. The advice at this stage is not naively trust any SMS sent to your phone and Engadget reports that an iPhone proof of concept messaging tool should be coming soon and also asked Apple for comment.
An Apple representative response to Engadget was to say that these types of spoof attacks can be protected against when using iMessage rather than SMS, as addresses are verified. Apple also points out that while it takes security seriously, spoof-addressed SMS messages can be sent to any phone and urge customers to be careful when using SMS. Engadget points out that there are various services available that allow users to send SMS messages that appear to be from somebody else so this applies to other phones and operating systems and is not just applicable to iPhones.
It will certainly be interesting to see if Apple does tackle this issue before iOS 6 makes it to a final release and the iPhone 5 is released running on it and we’d like to hear your thoughts on this spoof security problem. Send us your comments to let us know if this is a major concern to you, or maybe you’re always very cautious when using SMS?